this post was submitted on 27 Jan 2026

1085 points (99.7% liked)

Technology

82188 readers

3909 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

1085

Lawsuit Alleges That WhatsApp Has No End-to-End Encryption (it.slashdot.org)

submitted 1 month ago by technocrit@lemmy.dbzer0.com to c/technology@lemmy.world

308 comments fedilink hide all child comments

As evidence, the lawsuit cites unnamed "courageous whistleblowers" who allege that WhatsApp and Meta employees can request to view a user's messages through a simple process, thus bypassing the app's end-to-end encryption. "A worker need only send a 'task' (i.e., request via Meta's internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job," the lawsuit claims. "The Meta engineering team will then grant access -- often without any scrutiny at all -- and the worker's workstation will then have a new window or widget available that can pull up any WhatsApp user's messages based on the user's User ID number, which is unique to a user but identical across all Meta products."

"Once the Meta worker has this access, they can read users' messages by opening the widget; no separate decryption step is required," the 51-page complaint adds. "The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources. Messages appear almost as soon as they are communicated -- essentially, in real-time. Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted." The lawsuit does not provide any technical details to back up the rather sensational claims.

top 50 comments

sorted by: hot top controversial new old

[–] just_another_person@lemmy.world 139 points 1 month ago (3 children)

DUH

[–] sexy_peach@feddit.org 109 points 1 month ago (44 children)

No if this is proven it would be a real scandal and would bring a lot of users to better alternatives.

If it's false that's good too, since then WA has e2e encryption

[–] MrSoup@lemmy.zip 84 points 1 month ago (6 children)

would bring a lot of users to better alternatives.

Most users of whatsapp don't care about e2e. They hardly even know what it is.

[–] dependencyinjection@discuss.tchncs.de 35 points 1 month ago (1 children)

Right. This place sometimes forget that we are tiny community of techies that hate the system. Makes me see this place as a bit of a circlejerk at times.

[–] Chronographs@lemmy.zip 14 points 1 month ago (2 children)

Yeah the venn diagram overlap of “people who understand and care about e2ee enough to drop a messaging app for not supporting it” and “people who use whatsapp” has to be a sliver

load more comments (2 replies)

load more comments (5 replies)

load more comments (43 replies)

[–] Sunspear@piefed.social 30 points 1 month ago

Shocked, I tell you

load more comments (1 replies)

[–] BanMe@lemmy.world 107 points 1 month ago (2 children)

Well if I can't trust Meta with my information, who CAN I trust

[–] chemicalprophet@slrpnk.net 51 points 1 month ago (4 children)

[–] usernameusername@sh.itjust.works 40 points 1 month ago (4 children)

Oh okay. My location is 55.752121, 37.617664, my full name is Jeremy, and my password is hunter9. I trust you not to tell this to anybody

[–] rmuk@feddit.uk 35 points 1 month ago (3 children)

Your full name is "Jeremy"?

[–] usernameusername@sh.itjust.works 27 points 1 month ago (1 children)

Oh god damnit chemicalprofet why did you tell this guy i thougjt i could trust you :((

[–] bear@lemmy.blahaj.zone 17 points 1 month ago (1 children)

All I see is '••••••'

load more comments (1 replies)

[–] selokichtli@lemmy.ml 15 points 1 month ago* (last edited 1 month ago) (2 children)

Jeremy "Iks" Hunter IX

Edit: IX. Iks. I think we got it right now.

load more comments (2 replies)

load more comments (1 replies)

[–] Doomsider@lemmy.world 25 points 1 month ago* (last edited 1 month ago) (1 children)

Your secret is safe with us and our 36,893 affiliates.

load more comments (1 replies)

load more comments (2 replies)

load more comments (3 replies)

load more comments (1 replies)

[–] bjoern_tantau@swg-empire.de 84 points 1 month ago (1 children)

The biggest news is that Slashdot is still alive.

[–] RIotingPacifist@lemmy.world 52 points 1 month ago (1 children)

+5 insightful

[–] gnutrino@programming.dev 22 points 1 month ago

I used to find slashdot delightful,
but my feelings of late are more spiteful;
my comments sarcastic
the iconoclastic
keep modding to plus five (Insightful).

[–] wuffah@lemmy.world 70 points 1 month ago (2 children)

Assume the same for Telegram and pretty much any chat platform that controls your private keys.

[–] zeca@lemmy.ml 36 points 1 month ago (4 children)

Telegram doesnt even pretend to be end to end encrypted.

load more comments (4 replies)

load more comments (1 replies)

[–] Delilah@lemmy.blahaj.zone 63 points 1 month ago (1 children)

Wait, you are telling me that the company whos entire business is collecting personal information, including people who don't sign up for their services, to leverage for advertising, is keeping their platforms unsecured they can continually grab more information rather than secure it?

I for one am shocked, absolutely shocked.

[–] FlyingCircus@lemmy.world 22 points 1 month ago (1 children)

Yes, except they’re not leveraging your data for advertising, they’re leveraging it so they can manipulate your political views and keep you from finding solidarity with other working people.

load more comments (1 replies)

[–] socsa@piefed.social 54 points 1 month ago (4 children)

It is end to end encrypted but they can just pull the decrypted message from the app. This has been assumed for years, since they said they could parse messages for advertising purposes.

load more comments (4 replies)

[–] Rusty@lemmy.ca 50 points 1 month ago (4 children)

If I am not adding my own private key to the app, like in Tox, I don't trust their encryption.

[–] wallabra@lemmy.eco.br 41 points 1 month ago* (last edited 1 month ago) (19 children)

Tox also isn't that great security wise. It's hard to beat Signal when it comes to security messengers. And Signal is open source so, if it did anything weird with private keys, everyone would know

load more comments (19 replies)

[–] derin@lemmy.beru.co 20 points 1 month ago (1 children)

What's stopping the app from keeping your private key and still not encrypting anything?

I'm not trying to be difficult here, I just don't see how anything outside of an application whose source you can check yourself can be trusted.

All applications hosted by other people require you to react positively to "just trust me bro".

load more comments (1 replies)

load more comments (2 replies)

[–] skisnow@lemmy.ca 45 points 1 month ago* (last edited 1 month ago) (1 children)

15 years ago I’d have called this a conspiracy theory given how the evidence seems to be anecdotal, but given literally every single other thing we’ve learned in recent times about how cartoonishly evil and lying the tech bros truly are, it seems entirely likely.

load more comments (1 replies)

[–] herseycokguzelolacak@lemmy.ml 39 points 1 month ago (12 children)

WhatsApp client is closed source. Any claims around E2EE is pointless, since it's impossible to verify.

[–] cley_faye@lemmy.world 16 points 1 month ago (1 children)

It's E2EE alright. Just, don't ask what "ends" we're talking about.

load more comments (1 replies)

load more comments (11 replies)

[–] PierceTheBubble@lemmy.ml 38 points 1 month ago* (last edited 1 month ago) (4 children)

E2EE isn't really relevant, when the "ends" have the functionality, to share data with Meta directly: as "reports", "customer support", "assistance" (Meta AI); where a UI element is the separation.

Edit: it turns out cloud backups aren't E2E encrypted by default... meaning: any backup data, which passes through Meta's servers, to the cloud providers (like iCloud or Google Account), is unobscured to Meta; unless E2EE is explicitly enabled. And even then, WhatsApp's privacy policy states: "if you use a data backup service integrated with our Services (like iCloud or Google Account), they will receive information you share with them, such as your WhatsApp messages." So the encryption happens on the server side, meaning: Apple and Google still have full access to the content. It doesn't matter if you, personally, refuse to use the "feature": if the other end does, your interactions will be included in their backups.

load more comments (4 replies)

[–] arcterus@piefed.blahaj.zone 34 points 1 month ago (10 children)

So, is it basically treating every message as a "group" message where it sends it to some system WhatsApp account and then also to your intended receiver? This is what I'm assuming based on them supposedly being able to see deleted messages. Also would let them say it's technically still "E2EE" since it's indeed E2EE to your receiver, but it's also E2EE to them as well.

[–] axx@slrpnk.net 39 points 1 month ago (3 children)

Ah yes, good old E2E AWA3E.

"End to end, and we are also an end".

[–] lando55@lemmy.zip 23 points 1 month ago

The E is for "Everyone"

load more comments (2 replies)

load more comments (9 replies)

[–] lavander@lemmy.dbzer0.com 30 points 1 month ago (17 children)

Call me old fashioned but I really think that for real E2EE the vendor of the encryption and the vendor of the infrastructure should be two different entities.

For example PGP/GPG on … great! Proton? Not great

Jabber/XMMP with e2ee encryption great! WhatsApp/Telegram/signal… less so (sure I take signal over the other two every day… but it’s enough to compromise a single entity for accessing the data)

load more comments (17 replies)

[–] matlag@sh.itjust.works 28 points 1 month ago

Proposed line of defense: "With all respect, M. Judge, with all the different times we fucked our users, lied to them, tricked them, experimented on them, ignored them, we already sold private discussions on Facebook in the past, our CEO and founder most famous quote is «They trust me, dumbfucks!», the list goes on and on: no one in their sane mind would genuinely believe we were not spying on Whatsapp! They try to play dumb, they could not possibly believe we were being fair and honest THIS time?!"

[–] roserose56@lemmy.zip 25 points 1 month ago

No surprised at all tbf.

[–] Jyek@sh.itjust.works 24 points 1 month ago (21 children)

A lot of victim blaming in this thread. Why can't you just be mad for someone who was deceived?

load more comments (21 replies)

[–] Lucidlethargy@sh.itjust.works 24 points 1 month ago

You gatta be real stupid to not realize that Facebook is harvesting your data.

[–] darkmogool@feddit.org 18 points 1 month ago

insert pikachushockedface

[–] Treczoks@lemmy.world 15 points 1 month ago

Why am I not surprised? Whether there is no end-end encryption, they have a copy of every key, get the decrypted messages from the client, or can ask the client to surrender the key - it does not matter.

The point is that they never intended to leave users a secure environment. That would make the three latter agencies angry, and would bar themselves from rather interesting data on users.

load more comments